An Approach to Formalise Security Patterns

Luis Sergio da Silva Junior,Ecole Polytechnique de Montreal

March, 2013

Sergio An Approach to Formalise Security Patterns 1/ 19

Context

Software Development

• Methods, Techniques and Tools

• Reuse

• Design Patterns

• Security Patterns

Sergio An Approach to Formalise Security Patterns 2/ 19

Security Patterns

Properties

• Group of patterns focused on security context

• Threat, Attack, Attacker, Asset etc

• UML diagrams

• Originally, not formally specified

Sergio An Approach to Formalise Security Patterns 3/ 19

Security Patterns

Example 1

• Single Access Point

• Guard Door

Sergio An Approach to Formalise Security Patterns 4/ 19

Security Patterns

Sergio An Approach to Formalise Security Patterns 5/ 19

Security Patterns

Example 2

• Roles

• Group of roles

• Restrict Access

Sergio An Approach to Formalise Security Patterns 6/ 19

Formal Methods

Definition

Formal Methods (FM) consist of a set of techniques and tools basedon mathematical modeling and formal logic that are used to spec-ify and verify requirements and designs for computer systems andsoftware

OCL and extensions

Petri Nets

ASM

others

Sergio An Approach to Formalise Security Patterns 7/ 19

Formalizing Security Patterns

Correct implementation of restrictions and properties

Avoid Threats and bad implementation

Security Improvement

Sergio An Approach to Formalise Security Patterns 8/ 19

Petri Nets

Places, Tokens and Arcs

Different Types (Coloured, Temporized )

CPN-Tools

Why Petri Nets ?

Sergio An Approach to Formalise Security Patterns 9/ 19

Study Case

Sender-Receiver example

Microarchitecture example

constraint - the size of the message cannot be longerthan 10

Structural analysis - PADL and Reflection structure

Behavioural analysis - Comparison between the pattern andthe Petri Net structure

Sergio An Approach to Formalise Security Patterns 10/ 19

Structural analysis

Pattern detection through structural analysis

Class diagrams

Send its result to the next step

Sergio An Approach to Formalise Security Patterns 11/ 19

Structural analysis

Sergio An Approach to Formalise Security Patterns 12/ 19

Structural analysis

Create a Pattern Model using PADL

Comparison with Real objects - using Java Reflection API

Compare all attributes, associations

Display accuracy.

Sergio An Approach to Formalise Security Patterns 13/ 19

Behavioural analysis

Sergio An Approach to Formalise Security Patterns 14/ 19

Behavioural Analysis

Create Coloured Petri Net Model by CPN-ToolsUsing XML extractor from the .cpn fileUsing Classes, Interfaces to keep the information on JavastructureExtract method internal structure from .java fileCompare expressions and attributions from the java sourcecode with the Petri net arc inscription.Display accuracy

Sergio An Approach to Formalise Security Patterns 15/ 19

Behavioural analysis

Expressions and Attributions

Sergio An Approach to Formalise Security Patterns 16/ 19

Future Work

Testing with a Real System

Single Access Point, Roles, Session

Evaluate Version with Simulation of Petri Net model

More Formal Methods

Provide running analysis.

Sergio An Approach to Formalise Security Patterns 17/ 19

Future Work

Find the pattern in some complex structure

Petri Net restriction - named places and transitions

Different calls, same idea (length and size)

Sergio An Approach to Formalise Security Patterns 18/ 19

Acknowledgment

Sergio An Approach to Formalise Security Patterns 19/ 19